To understand the sensitive role of biometric data in enterprise information governance, you first have to understand its basic nature -- mainly, that it is very difficult to alter and often inextricable from the individual that it came from. You can easily change your debit card number if it has been stolen, right? But doing the same for your fingerprints or iris is impossible. Biometric information doesn’t simply provide a code or number permanently assigned to a person, it provides a measure of that person. Biometric systems provide data on the fundamental physical identity of the self -- a self that has the right to change jobs, move on from an organization, and still have the reasonable expectation that his or her identity and data will remain protected.

So, for professionals who work in information governance, this brings up two critical questions:

1. Who, exactly, has ownership of this data?

2. How should the business manage this data?

The first, unfortunately, is nearly impossible to answer now. Privacy laws for nonmedical biometric data are still nascent in the US, and determining data ownership between the enterprise and the individual can be difficult and is influenced by many variables.

Many businesses harbor some sort of biometric data originating from employees. So, while the first question may remain unanswered now, it’s clear that data management itself must be considered before biometric data becomes more commonplace. Failure to think about governance and security practices today could mean beginning too late to prevent a breach or misappropriation tomorrow.

There may not be that much biometric data currently in the average enterprise, but its use is on the rise. Both the private and public sectors probably (and legally) have some of your biometric data right now. If you’ve ever worked for a government-affiliated organization and achieved any type of security clearance, it has your fingerprint data. If you have a US driver’s license -- even if you have no criminal record -- there’s a good chance that the FBI is already analyzing your photo for a facial-recognition database. The information that HR departments handle on a regular basis -- Social Security numbers, home addresses, health insurance details, tax information, etc. -- all pose threats to privacy and security that are practically incomparable to traditionally stolen data types such as credit card numbers.

These hypothetical threats may seem nebulous given today’s relatively low use of biometrics in the average business, but they’re still a concern. If a regular breach of business documents is a disaster, one with inherently personal data is a legal, monetary, and PR disaster.

As of 2016, the average three-year cost of a breach in the US is $4 million over three years, and the average cost of an individual breached business record is $158. Because most of these breaches until now have been of more traditional data types such as business records, emails, and financial data, the enterprise should expect increasing costs with the availability of increasingly granular data belonging to individuals. The most-prized data types currently are those that the individual can’t change; medical records have far surpassed credit card numbers in their value on the black market. It’s not unlikely that personal biometric data -- especially types that are unalterable -- will have similar value.

The most logical first step for today’s information governance professionals would be to simply identify what biometric data may exist within the enterprise. This can include (but isn’t limited to) the following:

Fingerprints

Iris scans/images

Close-up facial photos

EEGs (used in neuromarketing research)

Fitness tracker and heartrate data

Personal handwriting and signatures

Once that’s done, mapping the potential locations where that data exists is necessary to determine where the most likely risks exist.

Possible places that biometric data reside within the enterprise can include:

File-sharing environments

Archives and information governance platforms

Building entry and physical security systems

Third-party password management software

Productivity platforms (such as Evernote)

Scanned and photographed note repositories

Enterprise social media accounts

Software-as-a-service products

The key objective for the immediate future is to determine what’s within the realm of control, and how security can be strengthened for the locations where there is most likely to be sensitive items. This relatively simple task today will be important for the future, regardless of how common biometric data becomes in business.

So “bring your own body” isn’t quite the HR policy violation it sounds like. It’s a call to action for information governance and security. It’s time to identify sources of employee biometric data, and to ensure that it is properly governed and secured within enterprise systems.

Kon Leong is CEO/Co-founder of ZL Technologies. For two decades, he has been immersed in large-scale information technologies to solve "big data" issues for enterprises. His focus for the last 14+ years has been on massively scalable archiving technology to solve records ... View Full Bio

I definitely want real safeguards in place before I hand over any biometric data to any companies. As you point out, while biometric data is more unique than passwords and other forms of security, it's still only as useful as the security in place protecting that data.

I'm also concerned that the NSA and other intelligence agencies would love to get their hands on that sort of data. I'd want guarantees that it would only be sent over in the case of a warranted, criminal investigation, not just scooped up randomly when I use it for a login.

What will happen when your biometrical data has been breached? Will you be fired or forced to take a long vacation since you are the vulnerability? Or will the company just provide you with some plastic surgery? :)

I agree, we have only one body but can have many passwords. I reminds me of the OPM breach in which sensistive data about former gov't employees and their family was stolen, information that you cannot erase and replace, information that can identity an individual solely. But yet still information, not a finger, a pupil, a heart...i am staying away for biometrics until we have a better answer on how to keep that data safe...i am sure it will be a while.

Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...

Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...